News

The Central Bank here is to launch simulated cyberattacks on banks, to stress test the resilience of the sector to sophisticated hacking.

The attacks will conform to an ECB framework for controlled and bespoke tests against cyberattacks in the financial market based on earlier models developed in the UK and the Netherlands.

It is not yet clear whether customers could, temporarily, lose access to banks while attacks are in progress.

The ECB designed the new test simulating cyberattacks on banks, stock exchanges and other regulated firms deemed critical for the functioning of the financial system, it said yesterday.

The move follows a string of heists and attacks by hackers on lenders and central banks over the past two years, including one that disrupted online and mobile services at the Netherlands’ three top banks earlier this year.

The ECB initiative aims to create a single framework for testing the cyber-resilience of EU financial firms, including cross-border institutions.

The framework envisages, among other tools, ‘red teams’ (RTs) of external hackers hired to find and exploit vulnerabilities in the companies being tested, a technique derived from the military world and widely used in the private sector.

“The test objectives… are the flags that the RT provider must attempt to capture during the test as it progresses through the scenarios,” the ECB said.

But its European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) will simply serve as a guideline and it will be for authorities on the ground, including the Central Bank of Ireland, headed by Governor Philip Lane, to carry out any test.

“It is up to the relevant authorities and the entities themselves to determine if and when TIBER-EU based tests are performed,” the ECB said.

Regulators here have already warned banks here that their technology infrastructure must be up to standard, in order to be allowed to operate. The ECB said firms won’t be punished for succumbing to the cyber stress-tests.

“Tests will be tailor-made and will not result in a pass or fail – rather they will provide the tested entity with insight into its strengths and weaknesses, and enable it to learn and evolve to a higher level of cyber maturity,” it added.

In of the most high-profile cases to date, hackers breached the central bank of Bangladesh’s systems in early 2016 and tricked the Federal Reserve Bank of New York into sending as much as $81m to accounts in the Philippines. (Additional reporting Reuters)